Rework OpenID service cookie handling

mig/server/grid_openid.py

@@ -1,3 +1,3 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
@@ -116,7 +116,7 @@
     from mig.shared.tlsserver import hardened_ssl_context
     from mig.shared.url import urlparse, urlencode, check_local_site_url, \
         parse_qsl
     from mig.shared.useradm import get_openid_user_dn, check_password_scramble, \
         check_hash
     from mig.shared.userdb import default_db_path
     from mig.shared.validstring import possible_user_id
@@ -130,12 +130,12 @@
 cert_field_map.update({'role': 'ROLE', 'timezone': 'TZ', 'nickname': 'NICK',
                        'fullname': 'CN', 'o': 'O', 'ou': 'OU'})
 cert_field_names = list(cert_field_map)
 cert_field_values = list(cert_field_map.values())
 cert_field_aliases = {}
 
 # NOTE: response may contain password on the form
 # (<Symbol Bare namespace>, 'password'): 'S3cr3tP4ssw0rd'
 pw_pattern = "\(<Symbol Bare namespace>, 'password'\): '(.+)'"
 pw_regexp = re.compile(pw_pattern)
 
 
@@ -158,7 +158,7 @@
 def valid_cert_fields(arg):
     """Make sure only valid cert field names are allowed"""
     valid_job_id(arg, extra_chars=',')
     if [i for i in arg.split(',') if not i in cert_field_names]:
         invalid_argument(arg)
 
 
@@ -303,7 +303,7 @@
 
         # Add our own SReg fields to list of valid fields from sreg 1.1 spec
         for (key, val) in cert_field_map.items():
             if not key in sreg.data_fields:
                 sreg.data_fields[key] = key.replace('_', ' ').title()
         # print "DEBUG: sreg fields: %s" % sreg.data_fields
         for name in cert_field_names:
@@ -397,11 +397,19 @@
             cookies = self.headers.get('Cookie')
             cookie = http.cookies.SimpleCookie(cookies)
             cookie_dict = dict((k, v.value) for k, v in cookie.items())
-            retry_url = cookie_dict.get('retry_url', '')
+            retry_url_enc = cookie_dict.get('retry_url_enc', '')
+            logger.debug("found retry_url_enc: %s" % retry_url_enc)
+            if retry_url_enc:
+                # NOTE: b64decode takes str and returns bytes
+                retry_url = force_native_str(base64.b64decode(retry_url_enc))
+            else:
+                retry_url = ''
+            logger.debug("decoded retry_url: %s" % retry_url)
             if retry_url and retry_url.startswith("http"):
                 raise InputException("invalid retry_url: %s" % retry_url)
             elif retry_url:
-                valid_url(retry_url)
+                # NOTE: we get here with /openid/id/EMAIL as retry_url
+                valid_url(retry_url, extra_chars='@')
         except http.cookies.CookieError as err:
             retry_url = None
             logger.error("found invalid cookie: %s" % err)
@@ -411,15 +419,40 @@
 
         return retry_url
 
+    def __format_retry_url_for_cookie(self):
+        """Format retry_url to fit in cookie"""
+        if self.retry_url is None:
+            retry_url = ''
+        else:
+            retry_url = self.retry_url
+        # NOTE: prevent header injection from cookie or header splitting
+        retry_url = retry_url.replace('\r', '').replace('\n', '')
+        logger.debug("encoding retry_url: %s" % retry_url)
+        try:
+            # NOTE: we get here with /openid/id/EMAIL as retry_url
+            valid_url(retry_url, extra_chars='@')
+        except InputException as exc:
+            retry_url = ''
+            logger.error("found invalid retry_url: %s" % exc)
+
+        # NOTE: b64encode takes bytes and returns bytes
+        enc = force_native_str(base64.b64encode(force_utf8(retry_url)))
+        logger.debug("encoded retry_url: %s" % enc)
+        cookie = http.cookies.SimpleCookie()
+        cookie['retry_url_enc'] = enc
+        cookie['retry_url_enc']['secure'] = True
+        cookie['retry_url_enc']['httponly'] = True
+        return cookie.output(header='').strip()
+
     def clearUser(self):
         """Reset all saved user variables"""
         self.user = None
         self.user_dn = None
         self.user_dn_dir = None
         self.password = None
         self.login_expire = None
 
     def do_GET(self):
         """Handle all HTTP GET requests"""
         # Make sure key is always available for exception handler
         key = 'UNSET'
@@ -442,7 +475,7 @@
             # Resolve retry url, strip password and err
 
             retry_query = {key: val for (key, val) in self.query.items()
                            if not key in ['password', 'err']}
             self.retry_url = "%s?%s" \
                 % (self.parsed_uri[2], urlencode(retry_query))
 
@@ -507,7 +540,7 @@
 </p>""" % (configuration.support_email, error_ref)
             self.showErrorPage(err_msg, error_code=500)
 
     def do_POST(self):
         """Handle all HTTP POST requests"""
         try:
             # NOTE: force native string even if socketserver provides bytes
@@ -634,7 +667,7 @@
         # Old IE 8 does not send contents of submit buttons thus only the
         # fields login_as and password are set with the allow requests. We
         # manually add a yes here if so to avoid the else case.
         if not 'yes' in query and not 'no' in query:
             query['yes'] = 'yes'
 
         if 'yes' in query:
@@ -721,7 +754,7 @@
                 logger.warning("handleAllow rejected login %s" % identity)
                 # logger.debug("full query: %s" % self.query)
                 # logger.debug("full headers: %s" % self.headers)
                 fail_user, fail_pw = self.user, self.password
                 self.clearUser()
                 # Login failed - return to refering page to let user try again
                 retry_url = self.__retry_url_from_cookie()
@@ -852,7 +885,7 @@
         self.addSRegResponse(request, response)
         return response
 
     def rejected(self, request, identifier=None):
         """Reject helper"""
         response = request.answer(False, identity=identifier)
         return response
@@ -941,7 +974,7 @@
                                         allow_legacy):
                 logger.info("Accepted password hash login for %s from %s" %
                             (username, addr))
                 self.user_dn = distinguished_name
                 self.user_dn_dir = client_id_dir(distinguished_name)
                 self.login_expire = int(time.time() + self.session_ttl)
                 return True
@@ -1268,7 +1301,7 @@
             </fieldset>
             </form>
             <p>
             <a href="%(sid_url)s/cgi-sid/reqpwreset.py?show=migoid">Forgot your password?
             </a>
             </p>
             </div>
@@ -1304,7 +1337,7 @@
               <input type="checkbox" id="remember" name="remember" value="yes"
                   /><label for="remember">Remember this
                   decision</label><br />
               Password: <input type="password" name="password" autofocus /><br />
               <input type="submit" name="yes" value="yes" />
               <input type="submit" name="no" value="no" />
             </form>
@@ -1473,7 +1506,7 @@
 
         <p>The URL for this server is
         <a href=%s><span class="verbatim">%s</span></a>.</p>
         ''' % (user_message, quoteattr(self.server.base_url), self.server.base_url))
 
     def showLoginPage(self, success_to, fail_to, query):
         """Login page provider"""
@@ -1578,8 +1611,7 @@
 
         self.send_response(response_code)
         self.writeUserHeader()
-        self.send_header('Set-Cookie', 'retry_url=%s;secure;httponly'
-                         % self.retry_url)
+        self.send_header('Set-Cookie', self.__format_retry_url_for_cookie())
         self.send_header('Content-type', 'text/html')
         self.end_headers()
         page_template = openid_page_template(configuration, head_extras)